IP Filter could allow an attacker to bypass firewall rules
| ip-filter-bypass-firewall (10409) |  Medium Risk |
Description:
Darren Reed¿s IP Filter could allow a remote attacker to bypass firewall rules, caused by a vulnerability in the FTP proxy. A remote attacker could send a specially-fragmented TCP or ICMP connection packet to bypass the firewall rules and create an unauthorized connection.
Consequences:
Bypass Security
Remedy:
Upgrade to the latest version of IP Filter (3.4.29 or later), available from the IP Filter Web page. See References.
References:
- IP Filter Web site: What's New for IP Filter.
- IPFilter Web site: Download.
- BID-6010: IPFilter FTP Proxy Unauthorized Access Vulnerability
- CVE-2002-1978: IPFilter 3.1.1 through 3.4.28 allows remote attackers to bypass firewall rules by sending a PASV command string as the argument of another command to an FTP server, which generates a response that contains the string, causing IPFilter to treat the response as if it were a legitimate PASV command from the server.
- SECTRACK ID: 1005442: IP Filter Linux Firewall Software FTP Proxy Bug Lets Remote Users Bypass the Rule Set
- US-CERT VU#328867: Multiple vendors` firewalls do not adequately keep state of FTP traffic
Platforms Affected:
- Darren Reed IPFilter prior to 3.4.29
Reported:
Oct 17, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net